Handling an External Audit and What You Show the Auditor
Oftentimes when employees hear that an auditor will be coming to site, there can be some nervousness around this, as they are not sure what to show the auditor. In this video, Chris explains what your employees need to know and show the external auditor.
Topics Covered in the video are:
What Senior management, management, other employees and compliance professionals will be audited against.
Showing the auditor records, observations, interviews, documents
How to provide evidence that your operational/service delivery processes are planned, supported, controlled, monitored and improved.
What to do if you don't understand what the auditor is asking
What to do if the auditor asks about steps you didn't perform 6. What to take from an external audit
Often what we experience is, we hear within organisations that the external auditor (i.e. certification auditor, customer auditor), is coming to site, and we start to hear there is a bit of tension in the workplace. In the office or workshop, people may start asking questions about what am I going to be asked what am I going to be tested on.
One of the things I always say is that it's important that people with authority to control these audits provide some support to employees across the business. Making them aware that when an auditor comes to town, they're simply going to be auditing them on the activities that they are responsible for, work that they do, they're not going to be auditing them, or testing them on anything that they should not be familiar with.
So, it's important to settle any nerves and make them aware that this is not something they're being assessed on individually that's going to come back and hurt them at some point for any reason.
When I'm talking today and some of the images I'm showing today might refer to a quality management system, or some other type of system, it's important to know that this is referred in just as a general guide, about any type of external audit. But what I'm going to focus on in quite a lot of detail is a typical audit that people receive, which generally has quite a lot of importance in the organisation, and that's generally the certification or surveillance audits that come from a ISO external auditor, or that could be some other form of standard BRC, API, for example.
This one in particular, I'm just going to refer to in terms of an ISO audit, and I'm going to go into the details of what would be expected to be presented to an auditor and what you can and what you may and may not present back to the auditor.
It’s important to understand what you'll be audited against. It's very important to recognise and share with an organisation that senior management, particularly against the new ISO standards, will be required and to present across leadership requirements. Generally, this is referred to in Clause five as a whole, but there are other sections within the standard also, that the external auditor may want to see evidence of how that is working, and that can be related to communication, change management, etc.
Senior management certainly, are going to be required to be in attendance. That doesn't necessarily mean that has to be the managing director or the board of directors, it can be senior management that take responsibility for the health and safety management system or the quality management system for example.
There are other leaders within the business, that have responsibilities through management, and they may also be interviewed or questioned in relation to certain clauses. And that may be for example, inside clause seven, where we're talking about the support requirements and inside there, there are resources. So, inside the resource section, there may be a requirement to speak to, for example, a human resource manager.
That human resource manager would be discussing about items specifically to how they manage the human resources of that organisation, bringing people into the business, the induction process, the ongoing management of competence, the ongoing management of performance within the organisation associated to personnel.
Likewise, within that area, they may also, depending on the type of business you operate in, they may also be wanting to speak to operations managers, facilities managers, maintenance managers. These are people also within these sections around support, that have responsibility for ensuring, for example, the equipment and the activities associated around the equipment and the facility, are maintained correctly.
What were we referring to there? We're referring to things associated to, for example, the emergency activities around our facility.
We were referring to calibration and certification, maintenance, and other service records that might support that area around resources.
Of course, it is important to recognise the other employees within the organisation, and it's important that you pass this down through your organisation, other employees may be required to respond to questions from an auditor.
It is often the case that an auditor will want to speak with or maybe witness, work being completed. And generally speaking, good auditors will look to see and speak with the people that are doing that activity, rather than the people that manage the activity.
There's no reason why the manager cannot be in attendance, or the person that's overseeing the audit that can coordinate the different people that will be involved. But it is important that your employees recognise and understand what they will be asked.
So, they will be asked possibly, to demonstrate evidence that they understand the processes, procedures and work instructions related to their work tasks, things that they are responsible for.
They should not be tested and challenged on things associated to items that they have to memorise, maybe from a period when they were inducted into the business. They simply have to recognize that they know where to go, whether that's to a person or location on a notice board or to a website location for cloud software or a server location for information.
So the key point to discuss here is, particularly giving confidence to the employees that are a little bit nervous, giving them a sense that the questions that they will be asked to respond to are associated to what they do day in, day out. It is not a test and shouldn't feel like a test.
What about in terms of compliance?
Well, obviously there may be a compliance department, that could be QHSE quality compliance, it could be associated to compliance with information technology, it could be associated to compliance around quality control etcetera. So, there is going to be quite significant elements from these types of audits, where these individuals will be asked to demonstrate that.
You may be in an organisation that you do not have dedicated compliance individuals, but you may have other people within the organisation, particularly if you're a smaller organisation, where they have multiple responsibilities - their day job, as well as responsibilities for certain elements of compliance. These individuals will be asked to demonstrate the evidence associated to that compliance, and where possibly improvement activities have been generated.
Let's be quite clear here, an auditor is there to seek objective evidence and that objective evidence must be factual. It is important that you recognise that that individual, the questions they ask, if you're unsure about them, what type of questions they're actually looking to get responses from.
It is important to recognize that they cannot assume certain information, they must get evidence from you to provide that factual support. When there's auditing taking place around management or operational processes, there's a number of key areas of evidence that an auditor is going to look for.
The first thing they're going to be looking for is, they're going to be looking for records. They're going to ask to see and be able to verify consistent performance across processes, and procedures, and work instructions. They're going to want to see where certain information around these processes, procedures and work instructions, demonstrate or identify where records must be retained as part of your compliance and your operational performance, and they want to see that that activity is being done.
Often, they may also look to observe that activity happening. When that's the situation and they want to see that they may ask to be taken to the individual that performs a task and be asked to be presented with the method and how that is set up. So please demonstrate how that machine is set up, how that project or job is planned, and possibly where it's related to risks, they may ask to see, risk assessments, risk registers associated to certain tasks.
This is a great way of providing evidence to an auditor, particularly when it is a current job or a current activity that you're working on. It may also help to put your employee at rest, to recognise that all they are doing is demonstrating the jobs and the tasks that they do, day-in-day-out, and not being challenged any differently.
When you, take an auditor or an auditor goes to a location, where they're going to be speaking to your employees, its important ahead of that, that you give some comfort to those employees, that they are not being challenged, they're not being tested. They are simply being asked to demonstrate so that an auditor can observe what they do in their normal day to day tasks.
There will be times when an auditor will ask questions in a certain way, using certain terminology. And it's important, and we'll talk about it later, that you give some confidence to your employees that if they do not understand the way that phrase or question has been presented to them, they have the capability and they have, you know, the right to be able to respond and ask for more clarification.
Carrying on with what you would show the auditor. Remember interviews help in order to verify that staff understand how to implement and undertake tasks and accordance with the processes and procedures.
When they observe something, that is when they may ask some questions. It's important also that it's not a memory test okay? It's important that people that are interviewed recognise that, if they do not have the knowledge to be able to recall information from memory, but at least they have the ability to be able to demonstrate in the interview, where they can go to access that information.
And probably the fourth item to mention on here is around documentation. Now depending on the auditor that comes to your site, some may be very focused on documents and using that information and spending a lot of time in an office space, a desk space, looking at documents, reading documents, and writing them down.
To be honest, as auditing is changing, I think a lot of auditors are changing as well, and there's a lot of less focus on documentation. In particular as organisations use systems and software that allow them to control and put governance round their compliance and operational activities, there's less emphasis on documentation as these systems are put in place across businesses.
However, there is going to be that requirement to demonstrate to an auditor whether it is physical documents or whether it is operational activities, that they can see through for example, workflow within project management software, whether it might be compliance records through a cloud based QHSE system, etc, etc.
An auditor is going to want to see that your operational activities and services, whether they are manufactured activities, services that are delivered using manpower and tools, or whether these are services that are delivered from an office location, they're going to want to see that they are planned, supported, controlled, monitored and where appropriate, improved.
So how do we go about doing that? Basically, the best way to do this, again, is to use an example of a job that you're working on or a job that has recently finished. It will give you the capability to recall that information quite clearly and be able to demonstrate all the way through from the client’s requirement, your customers requirement, through to what their compliance and stakeholder obligations are. Any specific strategic KPIs, goals, tests, external assessments that are done to demonstrate that these activities have met your client’s requirements. And importantly, where these activities are planned and they need support around risks and stakeholder expectations, it is important that you are able to demonstrate the method you have gone through.
Likewise, where activities are using subcontracted services, you must be able to show the controls you have in place associated to that. This may be where you have brought in a new subcontracted service or a new raw material supplier. You want to be able to demonstrate the method and how you have identified that organisation, that supplier as critical or key to your business, and the methods and how you go about monitoring and controlling that organisation that supply this material or service to you.
Likewise, as you go through, ensure the monitoring activities that you take and that should be across the whole process, the whole activities, the whole steps that you do in your organisation. It is also important to be able to point out areas where opportunities for improvement have occurred or could occur.
Auditors are very keen to see where an area of opportunity for improvement has been identified, that this can be presented in a way that shows the method on how this was captured, reported upon, possibly investigated, possibly required management approval, and how those changes were then communicated throughout the organisation.
Take the auditor step-by-step through a process and show them the related records and documents and answer the questions or demonstrate the process that's been taken. It is important that an auditor should only ever observe. An auditor should not be asking to take the mouse of a computer system to look through documentation on a system, they should not be asking to step in front of a machine or go into a location that they should not be allowed to go into.
It is important that they are observing at all times and you have control over that, as this is your organisation. You have the controls in place to guide the auditor to the locations where they can and cannot go.
It is important to point out at this time that if an auditor comes to your site, and particularly if it's a site that has significant risks and there's requirements of personal protective equipment needed, if the auditor has not got that kept with them, you're perfectly within your right to ensure that the auditor cannot get access to certain locations.
Yes, of course as a visitor, you may allow them to gain access to a limited space, so they can observe from distance. But it is important that you never allow an auditor any additional preferential treatment over any other visitor that comes to your site.
Going back to the processes and steps.
It is often the case that an auditor will provide a step by step guide as to what the scope of the audit is going to be, whether it's a full certification or recertification audit, or it’s a surveillance audit. It is important that if they do not provide you a guide on the scope, and the outline of what the audit is going to look like, do take the opportunity to go to the auditor or the auditing organisation and ask them for the plan and what they're expecting to look at.
This will give you an opportunity to focus your attention ahead of the audit, to show and share with other people within the organisation where you expect the auditor to look. But please do remember that many auditors will regularly observe other activities that may be going on within your organisation. If you are aware of any weaknesses within your organisation, then you have to try and reinforce them. An example of that may be an individual within your organisation, or a team within your organisation, that regularly do not comply with some of the things that are required.
Let's use PPE as an example. It's important that you reinforce that as much as possible, and where required, remove these individuals. Remove them from the shop floor, remove them from the location of work at the time of the audit.
The key thing here about how you present to an auditor, is you are not offering any more than the auditor is asking. You're stepping stage by stage through your process, your project, your procedures.
Please remember that often the auditor, unless they've been at your site many, many times over a number of years, the auditor is not familiar or not familiar enough with your detailed operational activities and processes that you follow, to be able to understand clearly and in infinite detail what it is that you do.
You are in charge. You are responsible at that stage, to be able to just step by step go through and demonstrate what it is you do each stage and the evidence that may support how you demonstrate that an object has gone through a manufacturing facility or a project has been developed. They want to see the control that you have and for you to be able to demonstrate the evidence.
So, some of the things associated to your employees. What if your employee doesn't understand what the auditor is asking?
You must remember and make it quite clear to your employees, that's okay. Often auditors use terminology and language straight from the standards. They use the content of the standards to phrase the question. In these situations, always go back and ask the auditor to rephrase the question or give you an example of what they would expect to see associated to that question. Always seek clarification if you're unsure, do not simply accept an auditor saying 'it looks like you do not do this. You're not telling me how that happens. You're not presenting what I'm looking for.'
In such a situation, pause the order and go and seek clarification from a supervisor, from a manager or someone who has other responsibilities to do, possibly with compliance to do with an audit.
That's really important. If you do not understand even after asking the question, asking the auditor to rephrase the question.
Okay, so what about the situation where oddities, your employees are a little bit concerned that, ‘what if an auditor asks me questions about something within an organisation? I don't do, that I'm not really responsible for, and to be honest, I don't get involved in it very much.’
In most situations, it's important to let the auditor know that you or that person, if they're being interviewed, you are not responsible for those steps. You're not responsible for that activity. You need to be able to, rather than fumble and try and guess an answer, if you do not know and you are not responsible, direct them to the person that is responsible, or seek advice again from your supervisor.
It's perfectly okay again, to pause the interview with the auditor and go and seek some advice. Do not offer any other information to the auditor.
It's really important that you express to your employees that they do not show the auditor or answer questions associated from the auditor, more than they are asked. Some people can get quite encouraged and quite passionate about what they do, and they can go on and answer and present a lot of information when they're interviewed by an auditor. There is no need to offer information or evidence unless the auditor asks for it. And that's really important that you make all of your employees aware of that.
What about an understanding in your organisation of what to take from an external audit?
If you don't agree with the findings presented at a closing meeting, ask for more detailed explanation with evidence and take the opportunity to correct anything.
If at that closing meeting, or the end of the day or the end of a session, the auditor explains something that they believe is a finding, you have every opportunity at that stage to go back to the auditor and correct it. That's a fundamental important thing that many people on the receiving end of audits do not understand. They think simply because the auditor has documented it, that's a finding, and ultimately they have to respond to it at a later date. That is not correct.
If there has been any form of misunderstanding, could be on the auditor side, could be on one of your employees side, it's important that you take that opportunity to clarify and correct anything that you can at that time before the audit is complete.
It's also important to embrace audits.
Having a leadership team that sees audits as a positive thing is really good for an organisation. It spreads the message down through the organisation that findings from an external audit, and an internal audit, should be seen as opportunities to improve. Something that is identified as a OFI, an observation, a minor non-conformance, or major non-conformance, always should be seen as an opportunity to improve your systems and practices and present evidence of how that can be done.
Please remember not to panic, you are always given the opportunity and time after an audit to correct things. No auditor is expecting every business to be perfect. It is important to recognize that if the auditor does identify something that you agree with, you see it as an opportunity to improve but please remember not to panic, you have time to correct things and present them back to the auditing organisation.
Lastly, one of the things I want to say is, if after the audit has taken place, once you investigate a potential finding, and you believe that that opportunity that they have presented to you is not going to bring any benefit or be relevant to your business, you have the opportunity to fight your case, and push back on the auditor and auditing company to say, we have investigated this, here is the evidence of what we have done, and we believe based on the information presented by the auditor, we either meet the requirements of the standard, but we do not feel that their recommendation will bring about any benefit to our organisation, and ultimately may cost you time and effort, which is not something that you're willing to put effort into.